Project Insight was started to provide insightful articles that discuss the many different concepts of cyber security. We do our best to break down these concepts into easy to understand discussion so that any user can utilize this information.

Article 1: Introduction to Safe Internet Browsing

In 2016 there were over 35 million confirmed personal records compromised in the United States. In a comprehensive report from Identity Theft Resource Center, it breaks down several different areas with 72,000 from banks, 6 million from businesses, 1 million from education, 13 million from government and 15 million from medical. With this numbering rising every year, there are better several ways to begin to safely browse the Internet while lowering the risk of having your personal data compromised. This article will serve as a general guide to some safe Internet browsing practices.

Browsers
With so many Internet browsers across several platforms there is one browser that consistently provides the best user experience while offering strong security tools. Mozilla Firefox is a well maintained and modern Internet browser with a great development and support team. To start browsing securely go to Mozilla.org, download and install Firefox for your operating system.


One of the simplest tools that can be utilized once Firefox is installed is it’s private mode. Private mode allows you to browse while not saving your history and information you input will not be saved anywhere in the browser cache.


Identifying Secure Websites
There are a few methods when it comes to identifying if a website is secure or not. One of the first things that can be found is in the URL (Uniform Resource Locator or Internet address) of the website you want to visit. Most URLs now start with “https://www.example.com”, which means that data going from your computer to that website is encrypted. Visiting a website with only “http://” puts you at a substantial risk, especially if you are entering personal information on that website. You will typically also see a green lock icon in the top right of the address bar of your browser indicating the site you are visiting is secure. Satisfying these two conditions when browsing will reduce your risk of your data being compromised.


How to Avoid Potential Phishing
The following items describe different ways to recognize potential phishing attempts. Phishing is when someone attempts to collect your information without your consent through an email, a websites made to look like the websites you visit or through other electronic communication. Using this information you will be better able to recognize and avoid losing your information through phishing.

The message contains a mismatched URL
The first method is when checking a suspicious email message. Oftentimes the URL in a phishing message will appear to be perfectly valid. However, if you hover your mouse over the top of the URL, you should see the actual hyperlinked address. If the link you intend to go to doesn’t match the URL in the address bar, it is most likely a phishing attempt.

An URL contains a strange domain name
People who launch phishing attempts often depend on the victim not knowing how the DNS (Domain Name System) naming structure for domains works. The last part of a domain name will be the indicator. For example, the domain name info.example.com would be a child domain of example.com because example.com appears at the end of the full domain name. But with an example like, example.com.maliciousdomain.com would not have originated from example.com because the reference to example.com is on the left side of the domain name.

The message contains poor spelling and grammar
Whenever a large company sends out a message on behalf of the company as a whole, the message is usually reviewed for spelling, grammar, and legality. So if a message is filled with poor grammar or spelling mistakes, it probably didn't come from a major corporation's legal department.

The message asks for personal information
No matter how official an email message might look, it's always a bad sign if the message asks for personal information. Your bank doesn't need you to send it your account number. It already knows what that is. Similarly, a reputable company should never send an email asking for your password, credit card number, or the answer to a security question.

The offer seems too good to be true
There is an old saying that if something seems too good to be true, it probably is. That holds especially true for email messages.

You didn't initiate the action
If you get a message informing you that you have won a contest you did not enter, it will most likely be a phishing attempt

You're asked to send money to cover expenses
In the correspondence, the person will likely ask for money to cover expenses, taxes, or fees.

Something just doesn't look right
If it doesn’t feel right, there’s probably a reason why.

Summary
This article covered the basics of secure web browsing, including browser applications, Identifying secure websites and how to recognize phishing attempts. Look for more articles covering in depth information on these topics soon from Project Insight.

Sources
- "10 Tips for Spotting a Phishing Email." TechRepublic. N.p., 15 Oct. 2015. Web. 17 Jan. 2017.
- ”Data Breach Report.” ITRC. Dec. 13, 2016.

Article 2: Browser add ons for safe web browsing

Downloading and installing a safe Internet browser is an important first step in securing your interactions online. This article discusses add-on tools for Mozilla Firefox to greatly increase security. Some of these tools will affect the visual aspect of websites.

Installing and Managing Add-ons

To add any of the following mentioned add-ons you must go to your settings in Firefox. This menu is accessible in the top right corner of the browser.


From this menu select the puzzle piece icon labeled “Add-ons” and you’ll be brought to the add ons menu where it will show which tools you current have installed. To install a new add on you need to click on “Get Add-ons” in the left side of the browser.


Scroll to the bottom of the page and click on “Get more Add-ons”.


On this page there will be a search box where you will searching for the tools you want to add to the browser. The next section will go over each tool to install.

Ghostery

Ghostery is a tool for your web browser that blocks tracking and other widgets that are embedded in websites. This speeds up page loading while securing your browsing data.

HTTPS Everywhere

This extension will force HTTPS over any website that has an available certificate, this will make sure that any information traveling from the computer to the server is encrypted.

NoScript

Adding NoScript to your browser tools allows you to control what content can be viewed for Java, Javascript and Flash plugins.

UBlock Origin

The last tool to add is Ublock Origin which blocks malicious websites, trackers and intrusive website advertisement.

Why is this Important?

Websites that do not charge anything to collect information on you so they can supply ads through the browser to match your interests, and sell your personal information to third parties for the same use. This is becoming very dangerous because this information is being leaked on the Internet. Theses steps will help with preventing these issues.

Article 3: Secure Connection Tools

Using a secure Internet browser along with various add on tools is a great way to protect your information when online, however there are some important tools that are available to use for when extra caution might be needed. Do keep in mind that these tools may affect your browsing experience including some content and location based services.

Tor Browser

The Tor browser allows users to browse the Internet while minimizing any tracking information to websites they visit. When using Tor your connection is distributed among a network of globally distributed relays. It also allows you to mask your computers location and access websites that are not available on the world wide web.

To install the Tor browser go to https://www.torproject.org/download/download-easy.html.en and select the correct download for your operating system. Depending on your operating system, download and run the installation file. Follow the prompts and once installed, run the executable file. It may take awhile for a connection to be established but once it is the browser will open. From there you can use it as you would any other Internet browser.


Using a VPN
A Virtual Private Network distributes your connection while encrypting your traffic from your device to the VPN server. It also masks your computers location. You can use a VPN on your devices including your computer, smartphone or tablet and is supported by most major operating systems.

PIA VPN can be downloaded for PC, Mac OS, Linux, iOS and Android. To install go to https://www.privateinternetaccess.com/pages/client-support/. Keep in mind that this tool requires a subscription which starts at $3.33 a month.


Article 4: Secure Email

Emails are one of the most relied on methods of communication, especially in business. There are a few different services that can help ensure that information being transmitted is not compromised. This article will cover these services and discuss different options depending on your device.

Proton Mail

Proton mail offers a simple and easy to setup solution for encrypted email. Proton mail has a web based client for your PC or Mac and has apps for iOS and Android. Proton mail is a free, open source, and modern platform. It provides end to end encryption and the capability for anonymous email, all hosted in Switzerland which offers better privacy under Swiss Privacy laws.

To install use the link and sign up for an account and follow the sections for downloading for your device. https://protonmail.com/


Thunderbird
The Thunderbird email client is provided by Mozilla, the same people behind the Firefox browser. Like Firefox, Thunderbird has support for third party add ons, which allows users to have greater security. While Proton mail requires you to sign up for an account, Thunderbird can be setup using and already existing email address.

One of the best add-ons for Thunderbird is Enigmail. This tool enables users to encrypt their emails using PGP (Pretty Good Privacy). To use this you have to create a set of keys, one private key for yourself and one public that you send to whomever you are emailing. This is covered in further detail later in the article.

Use the link to download Thunderbird for your PC or Mac computer. https://www.mozilla.org/en-US/thunderbird/

Since there is no native Thunderbird app for iOS or Android here are a couple options to setup email with PGP encryption.


K-9 Mail
K9 Mail is an app for android devices. Setup your account that you integrated with Thunderbird. You will also need an app like openKeychain to use PGP encryption when sending and receiving emails on your Android device.


To use openKeychain search for it in the google play store and install it on your android device. You will need to go through generating keys before you can use this app with K9 Mail which is explained later in this article.


Once you have your keys generated you will need to transfer the key file to your android device. Then open the openKeychain app add press the add button.Use the file browser to find the key file.


If you have keys from your contacts you can encrypt and decrypt emails. When opening an email a prompt will automatically popup to use your keys to decrypt.


When sending emails in K9 Mail there will now be a lock symbol next to the contact. You can press the symbol and select if you want to encrypt the email or not.


iPGMail

For iOS devices you can install iPGMail and setup your account like you did on Thunderbird. Since we don’t use iOS devices right now you may need to look up how to setup the iPGMail app.


Setting up PGP Encryption Keys

To use PGP Encryption on Thunderbird and mobile devices you will need to setup public and private keys for yourself as well as add the keys of those you wish to communicate with. To do so follow these steps:

1. Go to Thunderbird Setttings and click the right arrow on Enigmail and select key management.


2. Click on Generate and then on new key pair.


3. Fill in the details in the form the click Generate key. You need to remember your passphrase otherwise you will have to generate an new key pair.


4. Make sure you know where your keys are stored on your computer. You will need the key file if you change devices in the future.

5. When you want to begin emailing someone using PGP encryption you will start as you would with any normal regular email. Then you will notice in the top of the message window there are a few Enigmail options. If you are emailing someone for the first time you will send your public key.


6. At some point your contact will also have to send you their public key which you should store in a secure folder on your device.

7. Now that both you and your contact have each other’s public keys you can send and receive encrypted emails. To do so, click the lock symbol in the message window.

Setting up encrypted email is an important part of establishing better privacy and security. While regular mail services offer simplicity and convenience, taking these extra steps can take a short amount of time and ensure better electronic communication in the future.

Article 5: Encrypted Messaging Applications for Desktop and Mobile

With messaging being a main method of communication. There are several resources available for secure and private messaging.

Tox

Tox has been an ongoing, open source, project for several years and provides peer to peer encrypted messaging. The goal of the project is to provide a completely secure messaging platform that anyone can use without any prior knowledge of cryptography.

The main claim to fame for Tox is the server-less protocol it uses. Tox is completely p2p when communicating with a single friend or a group. This enables confidence in the platform since the only data stored is on your own machines. Tox allows you to route all your messages and calls through Tor which helps with keeping your IP anonymous.

Some other cool things are you don’t actually have an “account” on Tox. If you were to wipe your computer without backing up your Tox databases, your specific ToxID would be lost forever. This allows you to make as many accounts as you want with ease. The Tox team is currently working on device syncing (without servers) and battery improvements.

Tox can be used on Windows, MacOS and Linux along with an Android beta mobile client called AnTox and a iOS app called Antidote for Tox.
https://tox.chat/about.html


Once Tox is installed, you can setup your account and then go to your profile and copy your unique Tox key.


Only share this Tox key with another Tox user you want to message.

Conversations

Conversations is a mobile app for Android users that offers more customization in the type of security tools you can use for messages along with a wide array of features.

Conversations is very different in the sense that it uses XMPP servers as the transport for messages. You can either find a public XMPP server like or create your own for ultimate privacy. (Below are links to both)



You can also use a wide variety of protocols for message encryption such as: OMEMO, OTR, and OpenPGP (our favorite here at Lockin). If you would like to learn more about each and every encryption protocol the Wikipedia page for each of these types would be a great place to start.

Conversations is available on the Google Play Store.


Signal

Signal is an application that uses end to end encryption. It offers most features seen in other messaging applications including video and audio calling.

This service has been co-created by the famous Moxie Marlinspike which uses the “Signal Protocol”. Big names like Google and Whatsapp also use the Signal Protocol in their applications making it one of the most widely used protocols in messaging services.

Signal has quite a few privacy features such as verifiable numbers and disappearing messages which are extremely useful for communicating with untrusted contacts. You can also create a pin code for the app so each time it is opened it requires additional authentication to enter the app. Something that other p2p calling services fail to do is hide your IP with the contact you talking to. Signal offers a setting to relay through their services to hide your IP address with the contact.

Signal is available for iOS, Android and Chrome.


Article 6: Encrypted File Storage

If you choose to keep files digitally whether on your device or online it is important to know how to encrypt files where you may have personal or sensitive information. Think of what files you have stored, would you want someone peering in on the contents of these files like your taxes, finances, application forms, photos, and videos? Obtaining information to use against someone takes only a few key pieces of information. Encrypting files is one of the best ways to protect your information and in this article we’ll go over a couple of different methods to achieve this.

Hard Drive Encryption

To encrypt files on your computer you can use the utility “Veracrypt”. Veracrypt allows you to create specific encrypted folders along with the ability to encrypt drives and external storage devices. Veracrypt offers several different encryption methods, it is available for Windows, Mac OSX, and Linux.


To install head to the link below.
https://www.veracrypt.fr/en/Downloads.html

Setting up your encrypted folders or drives involves several steps, and we recommend referencing their guide to avoid making any mistakes or losing your files by improperly configuring Veracrypt. Their guide is available at the link below.
https://launchpadlibrarian.net/289850232/VeraCrypt%20User%20Guide.pdf

Cloud Storage Encryption

We have created and online file storage product called Vault we recommend for anyone looking to store their files online. We offer the same features of the big file storage names including, organizing, viewing, and sharing your files with other users. Vault requires minimal information to create an account and offers complete privacy for your files. Only you control who can access your files.


To use Vault visit the link below to sign up for an account. We also have a full tutorial covering how to use your account.
https://lockin.in/sub/store.php

Mobile Device Encryption

While there are several applications that offer some folder and file encryption for mobile devices, none seem to offer the security of simply encrypting your entire device. For iOS devices, your device is encrypted using a passcode you set when initially setting up the device. Every time you restart your iOS device you have to enter this passcode.


For Android devices, there are security settings that you can setup initially but are not required. To encrypt your device, go to your settings and then go to security, you should then see the option to encrypt your phone. The process is different for some android devices but it will have you use a passcode or pattern that you will enter when you startup your device.

Article 7: Secure Operating Systems

Using secure tools on your computer is a great way to reduce the risk of data theft, however to better increase security, a change in operating system exponentially reduces risk. In this article we will go over what elements make up a secure operating system and provide our recommendation for users who are changing their operating system for the first time.

Elements to look for in a secure operating system

When searching to replace your current operating system there are a couple things to consider. Besides the dominate Windows and Mac OSx there are a wide range of operating systems. Most of these are based off of variations of Linux. Linux was created in 1991 and quickly grew to become the dominate server operating system because of its strong security. Today Android, the worlds largest mobile operating system with over 2 billion active devices and 84% world market share runs on components of Linux. There has been a resurgence in Linux desktop operating systems such as Elementary OS, which provides a great user interface instead of the terminals and complex looking applications that you may think of when someone talks about Linux.


The developers of Elementary OS have a great explanation of what “Open Source” means, in their blog they define open source as source code that is available for all users to view and use. Opening up resources to all users allows a more open collaboration and community. Having more people looking at code is a great way to spot potential bugs or vulnerabilities that the development team might not have seen before.

Linux can be a much more secure operating system due to its permission handling and software environment. Windows software gives complete access to everything which can be good for ease of use but allows malicious software the same level of access, which means it can control the whole system much easier. With the variety of Linux based operating systems, different applications have different software architectures, however Windows has the same architecture to build applications on which would make it easier for malicious code to infect the system.

Elementary OS

Our recommendation as a first time user coming from Windows or Mac OSx is Elementary OS. This particular version of Linux offers an easy to use interface and plenty of secure utilities backed by a great development community. Elementary OS has its own app store with an active community of users publishing new applications weekly.


The operating comes with all the essentials you need to get started without extra bloat and it has some of the same functionality you see from the major operating systems like workspaces from Mac OSX. Another benefit is that the system requires less resources to run smoothly, providing a great user experience and bringing better longevity to older computers.

Installing Elementary OS

If you haven’t installed a different operating system on your computer it may seem complex, but the process is usually not as difficult as it seems. The simplest process is to completely remove the old operating system however you can configure your computer to boot into several choices.

For this article we will be focusing on installing Elementary OS which has a very simple installation process. It is important to note that you should back up all your personal data onto a separate device as the installation process while format your computers hard drive.

*We are not responsible for any loss of data or damages to your device.*

For the complete set of instructions go to the link below.

https://elementary.io/docs/installation#installation